Citation Context

...e only additional differences here. The benefits of static analysis are widely acknowledged, even more so recently as a result of the extensive work in model checking research and industrial practice =-=[10, 14, 36]-=-. Though model checking has its origins in hardware verification, an impressive collection of results spans a spectrum of programming languages and software systems. Given that it is difficult to summ...

Citation Context

... normal form (CNF). We do not convert them to CNF, but rather apply a SAT-solver that can handle arbitrary propositional formulas [41]; other state-ofthe-art SAT solvers such as BerkMin [28] or Chaff =-=[54]-=- could be used by converting the formulas to CNF. The solver we have used, developed by the co-authors at Tübingen, is based on a Davis-Putnam-style [16] algorithm. It can handle formulas involving se...

Citation Context

...-art SAT solvers such as BerkMin [28] or Chaff [54] could be used by converting the formulas to CNF. The solver we have used, developed by the co-authors at Tübingen, is based on a Davis-Putnam-style =-=[16]-=- algorithm. It can handle formulas involving several thousand variables. For example, when the formula in Figure 6 was (translated into the required input format and) supplied to this solver, it produ...

Citation Context

...s. Symbolic execution of programs, where concrete inputs used in testing are replaced with symbolic values to generate constraints between inputs and outputs, have been used for debugging and testing =-=[12, 45]-=- and verification [19]. Early work on symbolic execution was limited by its inability to handle complex types, loops, and dynamic data structures. Coen et al. have shown that symbolic execution can be...

Citation Context

...can be expressed as “graph types” [53]. There is also significant work in shape analysis, including recent work on parametric shape analysis that allows more questions to be answered concerning heaps =-=[62]-=-. Ramalingam et al. describe how to check client conformance with component constraints [61] using abstract interpretation. The goals and methods of these related efforts are quite different from ours...

Citation Context

...a Pathfinder at NASA has been used successfully to locate a variety of heap-related errors [31]. To limit the search space, Bandera, a tool for analyzing Java code, employs user-supplied abstractions =-=[15, 58]-=- whereas Smith et al. have described a system that assists in property specification [74]. The fundamental difference between DEET and such uses of model checkers is in the way a finite-state model of...

Citation Context

...[5]). Holzman has employed SPIN to detect numerous bugs in the PathStar processing system developed in C. Java Pathfinder at NASA has been used successfully to locate a variety of heap-related errors =-=[31]-=-. To limit the search space, Bandera, a tool for analyzing Java code, employs user-supplied abstractions [15, 58] whereas Smith et al. have described a system that assists in property specification [7...

Citation Context

...to detect errors in software are widely known [26, 78], assertion checking is especially useful in component-based software development to detect contractual violations among collaborating components =-=[2, 8, 21, 27, 52]-=-. Eiffel is among the earliest systems to popularize runtime assertion checking [52]. iContract, a contract-checking tool for Java programs, has similar objectives [20]. Using an executable industrial...

Citation Context

...ss of looking for errors, DEET generates the verification condition that would be needed to prove correctness. Proofs of this assertion can be attempted with human-assisted theorem provers (e.g., PVS =-=[60]-=-) when DEET finds no errors. And using the foundations for an extended system for specification and verification of performance (both time and space) [46, 69, 70], in principle DEET might be extended ...

Citation Context

...lized computer algebra techniques. 4. OTHER RELATED WORK The idea of error detection within a small “scope”—borrowed by DEET from Alloy—differs from most related work in fundamental ways, as noted in =-=[29, 37, 42, 77]-=-, and we summarize only additional differences here. The benefits of static analysis are widely acknowledged, even more so recently as a result of the extensive work in model checking research and ind...

Citation Context

...d et al. have addressed properties of the heap and dynamic data structures [43]. Unlike these efforts, whose focus is on verification, PREfix is a tool based on symbolic execution for error detection =-=[6]-=-. While the tool has been shown to reveal errors in large-scale C/C++ systems, it cannot handle properties such as invariants and it can produce false alarms. With user-supplied loop invariants (simil...

Citation Context

...in conjunctive normal form (CNF). We do not convert them to CNF, but rather apply a SAT-solver that can handle arbitrary propositional formulas [41]; other state-ofthe-art SAT solvers such as BerkMin =-=[28]-=- or Chaff [54] could be used by converting the formulas to CNF. The solver we have used, developed by the co-authors at Tübingen, is based on a Davis-Putnam-style [16] algorithm. It can handle formula...

Citation Context

...s. Symbolic execution of programs, where concrete inputs used in testing are replaced with symbolic values to generate constraints between inputs and outputs, have been used for debugging and testing =-=[12, 45]-=- and verification [19]. Early work on symbolic execution was limited by its inability to handle complex types, loops, and dynamic data structures. Coen et al. have shown that symbolic execution can be...

Citation Context

... using symbolic execution for model checking, the SLAM project [1] has shown how to handle recursive calls in C code. Khurshid et al. have addressed properties of the heap and dynamic data structures =-=[43]-=-. Unlike these efforts, whose focus is on verification, PREfix is a tool based on symbolic execution for error detection [6]. While the tool has been shown to reveal errors in large-scale C/C++ system...

Citation Context

...to detect errors in software are widely known [26, 78], assertion checking is especially useful in component-based software development to detect contractual violations among collaborating components =-=[2, 8, 21, 27, 52]-=-. Eiffel is among the earliest systems to popularize runtime assertion checking [52]. iContract, a contract-checking tool for Java programs, has similar objectives [20]. Using an executable industrial...

Citation Context

...ogic. While this work focuses on linear linked lists and tree structures, more recently Moller and Schwartzbach have extended the results to all data structures that can be expressed as “graph types” =-=[53]-=-. There is also significant work in shape analysis, including recent work on parametric shape analysis that allows more questions to be answered concerning heaps [62]. Ramalingam et al. describe how t...

Citation Context

...n language, AsmL, Barnett et al. describe a system for dynamic checking [2]. Cheon and Leavens have used JML for writing assertions and for runtime assertion checking of component-based Java programs =-=[7, 8, 9]-=-. The benefit of contract checking in commercial development of a component-based C++ software system is described in [34]. Use of wrappers to separate contract-checking code from underlying component...

Citation Context

...e only additional differences here. The benefits of static analysis are widely acknowledged, even more so recently as a result of the extensive work in model checking research and industrial practice =-=[10, 14, 36]-=-. Though model checking has its origins in hardware verification, an impressive collection of results spans a spectrum of programming languages and software systems. Given that it is difficult to summ...

Citation Context

... it is complementary in nearly every respect, as explained in this section. Only one technical detail from these systems has been consciously adapted for use in DEET: Jackson’s small scope hypothesis =-=[37]-=-, which is discussed in Section 3.2.3. 2.1 Objectives, Context, and Assumptions ESC and Alloy seek incremental improvements to current software engineering practice, focusing on “real” languages 1 But...

Citation Context

...on-trivial type parameters, which is an important issue in the design of generic abstractions. It is well known that copying references, while efficient, introduces aliasing and complicates reasoning =-=[33, 49, 79]-=-. The present specification is more flexible. It allows the entry to be moved or swapped into the container structure (efficiently, i.e., in constant time, by manipulating references “under the covers...

Citation Context

...t-based software based on design-by-contract, not on verifying heap properties. Ernst provides an overview of the complementary merits of dynamic and static analysis approaches for error detection in =-=[24]-=-. While the benefits of writing assertions and using them to detect errors in software are widely known [26, 78], assertion checking is especially useful in component-based software development to det...

Citation Context

...e only additional differences here. The benefits of static analysis are widely acknowledged, even more so recently as a result of the extensive work in model checking research and industrial practice =-=[10, 14, 36]-=-. Though model checking has its origins in hardware verification, an impressive collection of results spans a spectrum of programming languages and software systems. Given that it is difficult to summ...

Citation Context

...is area, we discuss only a representative sample. Finite-state systems are the focus, though there have been efforts to extend model checking to minimize the impact of this inherent limitation (e.g., =-=[5]-=-). Holzman has employed SPIN to detect numerous bugs in the PathStar processing system developed in C. Java Pathfinder at NASA has been used successfully to locate a variety of heap-related errors [31...

Citation Context

...n language, AsmL, Barnett et al. describe a system for dynamic checking [2]. Cheon and Leavens have used JML for writing assertions and for runtime assertion checking of component-based Java programs =-=[7, 8, 9]-=-. The benefit of contract checking in commercial development of a component-based C++ software system is described in [34]. Use of wrappers to separate contract-checking code from underlying component...

Citation Context

...to be moved or swapped into the container structure (efficiently, i.e., in constant time, by manipulating references “under the covers”) and thus potentially to alter it, without introducing aliasing =-=[30]-=-. Correspondingly, the Remove operation is specified to remove an entry from P, and it replaces the parameter R. Operation Advance allows the list insertion position (fence) to be moved ahead. The res...

Citation Context

...programmers are unwilling or even unable to write full specifications of intended functional behavior, and that they will write only certain kinds of annotations that capture part of that intent; and =-=(3)-=- an interest in a tool that can be used with any software—component-based or not—that can be written in the “real” language. 2 By contrast, DEET is part of a long-term plan to explore the foundations ...

Citation Context

... in large-scale C/C++ systems, it cannot handle properties such as invariants and it can produce false alarms. With user-supplied loop invariants (similar to the DEET approach for handling loops), in =-=[39]-=- Jensen et al. have discussed how to prove heap-related properties and find counterexamples. Their program has been shown to be quite effective in practice. Their work differs from traditional pointer...

Citation Context

...ingredient of our solution to the problem” [18]. Nonetheless, it is admitted that “one problem in this area that has stumped us is a form of rep exposure that we call abstract aliasing”[18]; see also =-=[17]-=-. The potential for aliasing technically does not always prevent modular reasoning, but the above measures help illustrate that it seriously complicates matters [79]. The Alloy approach “targets prope...

Citation Context

...es. Coen et al. have shown that symbolic execution can be useful for verification of safety-critical properties in an industrial setting, but this requires severe limitations to be placed on the code =-=[13]-=-. More recently, using symbolic execution for model checking, the SLAM project [1] has shown how to handle recursive calls in C code. Khurshid et al. have addressed properties of the heap and dynamic ...

Citation Context

...a Pathfinder at NASA has been used successfully to locate a variety of heap-related errors [31]. To limit the search space, Bandera, a tool for analyzing Java code, employs user-supplied abstractions =-=[15, 58]-=- whereas Smith et al. have described a system that assists in property specification [74]. The fundamental difference between DEET and such uses of model checkers is in the way a finite-state model of...

Citation Context

...to detect errors in software are widely known [26, 78], assertion checking is especially useful in component-based software development to detect contractual violations among collaborating components =-=[2, 8, 21, 27, 52]-=-. Eiffel is among the earliest systems to popularize runtime assertion checking [52]. iContract, a contract-checking tool for Java programs, has similar objectives [20]. Using an executable industrial...

Citation Context

...rating components [2, 8, 21, 27, 52]. Eiffel is among the earliest systems to popularize runtime assertion checking [52]. iContract, a contract-checking tool for Java programs, has similar objectives =-=[20]-=-. Using an executable industrialstrength specification language, AsmL, Barnett et al. describe a system for dynamic checking [2]. Cheon and Leavens have used JML for writing assertions and for runtime...

Citation Context

.... The overall project goal is not to live within the shackles of current practice, but rather to remove them. DEET’s context includes (1) a combined specification and implementation language (Resolve =-=[66]-=-) that is expressly designed to support modular reasoning, while still permitting the development of “real” software by strictly disciplined use of “real” languages such as C++ [34]; (2) a recognition...

Citation Context

...cluding recent work on parametric shape analysis that allows more questions to be answered concerning heaps [62]. Ramalingam et al. describe how to check client conformance with component constraints =-=[61]-=- using abstract interpretation. The goals and methods of these related efforts are quite different from ours because our focus is on the total correctness of component-based software based on design-b...

Citation Context

...f the complementary merits of dynamic and static analysis approaches for error detection in [24]. While the benefits of writing assertions and using them to detect errors in software are widely known =-=[26, 78]-=-, assertion checking is especially useful in component-based software development to detect contractual violations among collaborating components [2, 8, 21, 27, 52]. Eiffel is among the earliest syste...

Citation Context

...e tool will work well for modular analysis of even quite complex classes; how well it scales for analyses amongst classes and whether it will be economical enough for everyday use remains to be seen” =-=[42]-=-. Resolve has value semantics for all variables; there is no aliasing because the language does not permit it [49]. Resolve 2 ESC handles not just sequential programs but a class of synchronization er...

Citation Context

...to detect errors in software are widely known [26, 78], assertion checking is especially useful in component-based software development to detect contractual violations among collaborating components =-=[2, 8, 21, 27, 52]-=-. Eiffel is among the earliest systems to popularize runtime assertion checking [52]. iContract, a contract-checking tool for Java programs, has similar objectives [20]. Using an executable industrial...

Citation Context

... language (Resolve [66]) that is expressly designed to support modular reasoning, while still permitting the development of “real” software by strictly disciplined use of “real” languages such as C++ =-=[34]-=-; (2) a recognition, based on teaching experience [71], that tomorrow’s software engineers can be taught to understand and even to write formal-language specifications, just as they can be taught to w...

Citation Context

...where none exist [37]. DEET is much like Alloy in this regard, with two major exceptions. First, the soundness of verification condition generation has been established for most constructs of Resolve =-=[22, 32, 67, 68]-=-. The overall approach is still that the verification condition needed for full verification is generated from the relevant specifications and code. But then the scopes of all variables are restricted...

Citation Context

...rograms, where concrete inputs used in testing are replaced with symbolic values to generate constraints between inputs and outputs, have been used for debugging and testing [12, 45] and verification =-=[19]-=-. Early work on symbolic execution was limited by its inability to handle complex types, loops, and dynamic data structures. Coen et al. have shown that symbolic execution can be useful for verificati...

Citation Context

...to detect errors in software are widely known [26, 78], assertion checking is especially useful in component-based software development to detect contractual violations among collaborating components =-=[2, 8, 21, 27, 52]-=-. Eiffel is among the earliest systems to popularize runtime assertion checking [52]. iContract, a contract-checking tool for Java programs, has similar objectives [20]. Using an executable industrial...

Citation Context

...that the formulas generated during this process are not in conjunctive normal form (CNF). We do not convert them to CNF, but rather apply a SAT-solver that can handle arbitrary propositional formulas =-=[41]-=-; other state-ofthe-art SAT solvers such as BerkMin [28] or Chaff [54] could be used by converting the formulas to CNF. The solver we have used, developed by the co-authors at Tübingen, is based on a ...

Citation Context

...ith human-assisted theorem provers (e.g., PVS [60]) when DEET finds no errors. And using the foundations for an extended system for specification and verification of performance (both time and space) =-=[46, 69, 70]-=-, in principle DEET might be extended to detect errors relative to performance contracts. 3. DEET APPROACH This section explains the DEET approach. As in [37], we choose a simple list example to expla...

Citation Context

...classes and whether it will be economical enough for everyday use remains to be seen” [42]. Resolve has value semantics for all variables; there is no aliasing because the language does not permit it =-=[49]-=-. Resolve 2 ESC handles not just sequential programs but a class of synchronization errors in multi-threaded programs. Alloy and DEET so far are limited to sequential programs. includes reference-free...

Citation Context

...However, it remains possible to write programs for situations where explicit aliasing improves efficiency and would be exploited in a language like Java. Using specifications of pointer-like behavior =-=[47]-=-, it is possible to reason about these programs formally and to find errors in them using the DEET approach (although the current prototype does not handle this). Techniques used in ESC and/or Alloy t...

Citation Context

...where none exist [37]. DEET is much like Alloy in this regard, with two major exceptions. First, the soundness of verification condition generation has been established for most constructs of Resolve =-=[22, 32, 67, 68]-=-. The overall approach is still that the verification condition needed for full verification is generated from the relevant specifications and code. But then the scopes of all variables are restricted...